Cyber Losses - Business Interruption

Rehana MoosaBy Rehana Moosa

Published in the September 2019 edition of Without Prejudice

Malware. Ransomware. Phishing. Wannacry. Petya. NotPetya. The terminology of cyber attacks and cyber losses seems to change at a bewildering pace. According to Statistics Canada, in 2017, more than 20% of Canadian businesses reported they were impacted by a cyber security incident. As technology continues to advance and businesses become more reliant on their IT systems, cyber attacks will become more sophisticated, leading to an increase in the size and volume of cyber insurance claims. This article discusses how cyber losses can result in a business interruption loss.

What is cyber insurance?

Cyber insurance policies provide coverage for losses caused by a cyber-related security breach. Losses can include ransom payments (threats to destroy data or withhold decryption codes unless a ransom is paid), theft of personal or commercially sensitive information, business interruption during network downtime, and various investigation and response costs (e.g. notifying customers of the breach). Forensic accountants are typically retained in cyber losses to quantify the business interruption losses (i.e. lost profits) resulting from the cyber attack.

How can a cyber attack cause a business interruption loss?

Traditional causes of business interruption losses such as floods and fires generally impact a business in one of two ways: they either cause a loss of revenue or an increase in operating costs (or both). Business interruption due to cyber attacks is no different. Below are a few examples based on files on which we have worked:

  • Lost sales – During the period in which the network is being restored, an insured may not be able to access its data, or other critical IT functions such as email. This can result in lost sales orders if the insured is unable to receive or process orders. Some insureds may offer customers a discount to compensate them for delays in delivery.

I was recently involved in a case where a manufacturing company was the target of a ransomware attack. The insured generated a large volume of work through single source bids, where a customer would request a quote for a specific project. If the insured’s fee estimate was within certain guidelines, the customer would award them the project without obtaining quotes from other vendors.

In this case, the insured was unable to submit fee estimates for single source bids as their staff were unable to access email or any electronic data that would be used to calculate the quote, and claimed a loss of income as a result. The insured was able to support their claim by providing correspondence from the customer requesting a quote, and historical data indicating that their bid success rate with single source bids was close to 100%.

Note that if the claim is for lost sales, it will be important to determine what expenses have been saved as a result of the reduction in sales; this reduction in expenses will be offset against the sales loss in much the same way a “gross profit rate” or “gross earnings” rate is applied to a sales loss under a typical business interruption policy. 

  • Labour inefficiencies – For manufacturing businesses, during the time that the network is impacted by the cyber attack, certain tasks on the production line may need to be performed manually until systems are restored, causing labour inefficiencies. If it can be established that more labour was required to earn the same amount of revenues, those inefficiencies may form part of the business interruption loss.

Inefficiencies can be measured by comparing the historical difference between budgeted and actual hours, as a percentage. This percentage can then be compared to the actual hours spent on manufacturing tasks during the loss period to determine the extent to which more time was required for production.

It is important to note that although the insured may experience inefficiencies early on in the loss period, some of these inefficiencies can be recovered once IT systems are restored, if employees are able to work overtime and efficiency improves during this time period.

  • Overtime – Employees may need to work additional hours to catch up on delayed projects / production, or to perform tasks manually. The business interruption loss should include any overtime costs that is over and above typical levels, and can be attributed to the cyber attack.

Some insureds will claim overtime for salaried staff who are not paid for additional hours worked. It is important to verify, by reviewing pay stubs, that employees were compensated extra for the claimed overtime hours worked.

Historical overtime hours for employees should also be reviewed to determine normal overtime levels, and identify whether any overtime may be seasonal. On a file I worked on involving a consulting firm, employees typically worked overtime at the beginning of the year to assist clients who were undergoing regulatory inspections. As the loss occurred during the first quarter of the calendar year, the estimated number of normal overtime hours that would have been incurred regardless of the cyber attack were removed to calculate the overtime was solely due to the loss.

Period of loss

Cyber policies will normally define the loss period as starting from the date of the attack (subject to a waiting period), and ending when the network is restored (or some other maximum date). While some attacks have an immediate impact on the IT system, others may have a delayed response, with the repercussions emerging later.

It is generally useful to obtain from the insured a timeline of events, to understand when the attack occurred, when operations were first impacted, and when the various IT systems were brought back into operation. This information can be used to determine the length of the loss period.


Quantification of business interruption from cyber losses involves applying the same general principles that govern a typical business interruption loss. The goal is to understand, document and quantify just how the cyber event impacted the revenue and expenses of the company’s business. While new cases will involve new viruses and technology, the principles set out in this article will continue to hold true over time.

Contact us to learn more.   647-426-0146  |

Communications are intended for informational purposes only and do not constitute legal advice or an opinion on any issue. For permission to republish this content, please contact Rehana Moosa Forensic Accounting Professional Corporation.

Back to Knowledge

Related Knowledge

Conducting an Internal Fraud Investigation

In a previous blog post, we discussed what to do when you first suspect that a fraud has occurred within…read more

The Capital Asset Approach To Calculating Damages

Canadian courts have typically adopted one of two categories in quantifying financial losses due to bodily…read more

Factoring In Plaintiff’s Age And Occupation To The Earnings Curve

Jane is a 59-year-old real estate lawyer who was injured in a car accident. She will be unable to continue…read more

What To Look For In A Fidelity / Crime Insurance Policy

Imagine you are a business that uses independent contractors to provide services to your clients instead…read more

Identifying Fraudulent Transactions

When businesses prepare a fidelity / crime insurance claim, much analysis is required to ensure that…read more


The RMFA Difference

Regardless of background or level of knowledge, all our clients are treated with professionalism and respect. All files, regardless of size or complexity, are treated as a top priority. That’s our promise.